Skip to product information
1 of 12

PayPal, credit cards. Download editable-PDF and invoice in 1 second!

GM/T 0069-2019 English PDF (GMT0069-2019)

GM/T 0069-2019 English PDF (GMT0069-2019)

Regular price $690.00 USD
Regular price Sale price $690.00 USD
Sale Sold out
Shipping calculated at checkout.
Delivery: 3 seconds. Download true-PDF + Invoice.
Get QUOTATION in 1-minute: Click GM/T 0069-2019
Historical versions: GM/T 0069-2019
Preview True-PDF (Reload/Scroll if blank)

GM/T 0069-2019: Open identity authentication framework
GM/T 0069-2019
GM
CRYPTOGRAPHIC INDUSTRY STANDARD
OF THE PEOPLE’S REPUBLIC OF CHINA
ICS 35.040
L 80
Open identity authentication framework
ISSUED ON: JULY 12, 2019
IMPLEMENTED ON: JULY 12, 2019
Issued by: State Cryptography Administration
Table of Contents
Foreword ... 4 
Introduction ... 5 
1 Scope ... 6 
2 Normative references ... 6 
3 Terms and definitions ... 7 
4 Abbreviations ... 11 
5 Overview ... 12 
6 Entity requirements ... 14 
6.1 Requirements for identity service providers ... 14 
6.2 Requirements for relying party ... 17 
7 Identification process ... 19 
7.1 Identification process type ... 19 
7.2 Authorization code authentication process ... 20 
7.3 Implicit authentication flow ... 36 
7.4 Hybrid authentication flow ... 41 
7.5 Access token refresh mechanism ... 47 
8 Token ... 49 
8.1 Token type ... 49 
8.2 JSON token ... 52 
8.3 Token security protection requirements ... 55 
9 User information access ... 57 
9.1 Types of claims ... 57 
9.2 Language and writing claim ... 60 
9.3 User information endpoint ... 60 
9.4 User information request claim ... 63 
9.5 Stability and uniqueness of claim ... 67 
10 Signature and encryption requirements ... 68 
10.1 Overview ... 68 
10.2 Signature ... 68 
10.3 Encryption ... 69 
10.4 Entropy of symmetric key ... 71 
10.5 Order of signature and encryption ... 71 
Appendix A (Normative) Normal claim ... 72 
Appendix B (Informative) Basic configuration of identity service provider ... 74 
Appendix C (Informative) Relying party's registration information ... 77 
References ... 80 
Open identity authentication framework
1 Scope
This standard specifies the agreement framework for relying parties (network
applications or services) to use the authentication function provided by the
identity service provider to authenticate end users; defines the requirements of
the entities involved in the agreement, the authentication protocol process, the
access requirements of user information, as well as the encryption and
signature requirements of protocol messages, etc.
This standard applies to the development, testing, evaluation and procurement
of user identification services in scenarios where end users access network
applications.
2 Normative references
The following documents are essential to the application of this document. For
the dated documents, only the versions with the dates indicated are applicable
to this document; for the undated documents, only the latest version (including
all the amendments) are applicable to this standard.
GB/T 32905-2016 Information security technology SM3 cryptographic hash
algorithm
GB/T 32907-2016 Information security technology - SM4 block cipher
algorithm
GB/T 32918.2-2016 Elliptic curve public - Key cryptography - Part 2: Digital
signature algorithm
GB/T 32918.4-2016 Elliptic curve public - Key cryptography algorithm - Part
4: Public - key encryption algorithm
GM/T 0024-2014 SSL VPN specification
GM/T 0068-2019 Open third party resource authorization protocol
framework
ISO 639-1 Codes for the representation of names of languages - Part 1:
Alpha-2 code
ISO 3166-1 Codes for the representation of names of countries and their
subdivisions - Part 1: country codes
ISO 8601:2004 Data elements and interchange formats - Information
interchange - Representation of dates and times
ISO/IEC 29115:2013 Information technology - Entity authentication
assurance framework
RFC 1867 HTML Form-based file upload in HTML
RFC 3966 The tel URI for telephone numbers
RFC 3986 Uniform resource identifier (URI): Generic syntax
RFC 4627 The application/json media type for JavaScript object notation
(JSON)
RFC 5322 Internet message format
RFC 5646 Tags for identifying languages
RFC 6125 Representation and validation of domain-based application
service identity within Internet public key infrastructure using X.509 (PKIK)
certificate in the context of transport layer security (TLS)
E.164 The international public telecommunication numbering plan
3 Terms and definitions
The following terms and definitions apply to this document.
3.1
Access token
The token issued by the authorization server, which is used to prove that an
entity has the authority to access protected resources within a specific range.
3.2
Authentication request
A request for the purpose of authenticating the identity of the end user.
Note: After the identity service provider receives the request sent by the relying
party, it authenticates the terminal user.
5 Overview
The identity authentication protocol framework specified in this standard allows
the relying party to use the authentication service of the identity service provider
to authenticate the end user. After the end user is successfully authenticated,
the relying party can obtain the authorized user’s identity information from the
identity service provider.
The identity authentication protocol framework specified in this standard mainly
involves three types of participating entities: relying parties, identity service
providers, end users. This standard mainly regulates the functions of relying
parties and identity service providers:
- Relying party: When the relying party is accessed by an end user, the
relying party shall authenticate the end user. For end users who have not
yet been authenticated, the relying party selects an identity service provider
to authenticate the end user;
- Identity service provider: Authenticate the end user; ask the end user who
is successfully authenticated about the authorization of the relying party to
access the user's identity information. After the end user is authorized, the
authorized user’s identity information is finally sent to the relying party, to
complete identity authentication. Among them, the authorization server of
the identity service provider realizes the identification of the end user's
identity. The authorization server contains two functional interfaces: an
authorization endpoint and a token endpoint. The identity service provider
realizes the access of the relying party to the user information by providing
the user information endpoint.
Endpoints are identified by URI. The typical format of the URI is:
[scheme:][//hostname (authority)][path(path)][? query component
(query)][#fragment component (fragment)]. The query component and fragment
component use the encoding format of "application/x-www-form-urlencoded"
(see RFC 1867).
The interaction between the relying party, the identity service provider, and the
end user shall use cryptographic technology to ensure security. Both the relying
party and the identity service provider shall carry out relevant configurations to
support the agreement. This standard regulates the entity requirements of the
relying party and the identity service provider (see Chapter 6).
When a terminal user accesses a service provided by a relying party, if the
relying party requires the end user to be authenticated and supports the
protocol defined in this standard, the relying party can redirect the end user to
an identity service provider trusted by the relying party and execute the
information. By using a security token, it is possible to avoid sharing the identity
credentials of the end user with the relying party, to securely present the identity
information of the end user to the relying party. In ...
View full details